The Big Game is just days away. Whether it’s the Patriots or Rams who win the Super Bowl, we know for sure that the end of the season brings with it a period of turnover and uncertainty - feelings familiar to many of us in cybersecurity.
After trophies and parades, bloggers and talk radio turn to a favorite staple: forecasting which teams' assistants will earn head coaching jobs based on the perceived power of their playbooks. This parallels playbook buzz in security, in which a host of community voices are touting playbook-style approaches to security challenges, from expediting repetitive tasks to identifying malware to simulating attackers. Playbooks appeal to the emotional needs of anyone facing high-stakes, must-win scenarios, whether in a stadium or a security operations center (SOC). It is only natural to seek an edge by studying someone's winning formula.
Yet history is full of coaches taking a winning scheme to a new city, where their vaunted playbooks fall short because of different talent, timelines, and owner idiosyncrasies. The same applies to security leaders. So how can you avoid that outcome? Here are four key questions to ask as you study your playbook options.
1. What Does Your Organization Look Like?
Playbooks are supposed to create mismatches - but not in locker rooms and team meetings. Many a coaching guru finds it hard aligning trainers, scouts, general managers, and players around their strategies.
However, there are no "rebuilding years" in cybersecurity. Every new tool or formula you introduce has to make a positive difference from Day One. Make sure any playbook approach you are signing up for pairs well to your team, as well as executive sponsors' culture and timetable. What are the stakes? If you just received the resources to pick up MITRE ATT&CK and tinker with a few offensive exercises, that has very different blowback risks compared with swapping out part of your production security stack. Make sure you are on the same frequency with "owners" so that everyone can be upfront about purpose, needs, and benefits.
2. Is It Your Playbooks - or the Play-Calling?
The entire premise of a playbook's value is the idea that a valid body of experience and community - coaches, athletes, or security experts - found that "in situation [X], action [Y] is usually the most productive option." On the gridiron, it could be a designated quarterback run out of a four-receiver set to fool the defense. On a network, it could be rapidly initiating processes to find and contain files meeting a range of attributes before a payload detonates. But how do you know which play to call and when?
Coaches rely on sideline or press box views to compare what their eyes see with options on a clipboard. In the SOC, the field of action is defined by the complex plumbing of layered security products’ consoles, threat intelligence feeds, SIEM dashboards, and other monitors. Hiccups and misalignment in this plumbing prevent security coaches from knowing the true "down and distance," offsetting any playbook's value. Before replacing your plays, make sure you are calling the game with clear eyes and ears.
3. Do Position Coaches and Players Think?
The best coaches adapt systems to fit their players' unique mix of skills and experience. The same is true in cybersecurity. When you go all-in on a new playbook, you are bound to introduce new roles and assignments. Staff will have to shift how they spend their time, get trained on new tools, or become comfortable handing some of their work over to software. Seek out the players and coaches on your team who will tackle these changes head-on.
In football, certain plays are routine, such as a running play meant to gain at the last five yards. Similarly, in security many plays are routine, too, like updating rulesets and filters. The outcome of the game does not hang in the balance. Conversely, just like a blocked punt or kick-off return for a touchdown can change the whole complexion of the game, as the cliché goes, SOC teams need to make sure new wrinkles like automation and playbook twists do not trip up the most important things to execute when they matter most.
4. What Do the Numbers Say?
In the metrics-driven sports world, scoreboards are all that matter. If a newly installed offense coincides with a spectacular season, fans thank the playbook before wondering whether fewer injuries or rival teams' down years made the difference.
Unfortunately, there are no universal closing whistles or scoreboards in the art and science of cyber risk. Wins and losses are subjective labels handed out according to organizations' different risk tolerances, assets, and industries. Security leaders have to crunch the right numbers necessary to give boardroom and C-suite decision-makers both skybox and sideline views of the game. Before you swap out playbook code or approaches, consider how they impact the data you must or want to collect and compare.
Vital numbers can take many forms. Consider immediate hard figures, like the rate of incidents detected and investigated and time to remediation but press for a sense of incident responders time and stress level as well. There needs to be sound correlation. If a playbook seems to be crushing the numbers but the team still feels overwhelmed or unsure whether new actions are getting to the root cause of issues, you might not have the metrics necessary to back up your coaching decisions so you'll still need to press playbook developers for improvements.
In sports and cybersecurity, change management is the true test of champions. Players get hurt, free agency steals veterans, and opponents get stronger. In every organization, shifts in the business, IT fabrics, and third-party risks constantly send us back to the whiteboard. Accept that no playbook can replace leadership, bypass all constraints, or anticipate the fundamentally unthinkable.
I am optimistic about playbooks these days. Many of us in security were drawing our own plays up in the dirt years ago, comparatively speaking, so the advent of engaged collaboration and communities distilling new security workflows is a good thing. But we need to keep any playbook in perspective. Focus on what improves your day-to-day outcomes, but be careful of falling into a near-sighted obsession with tactics in a game where alignment and organization are the variables between you and success.